winlogon.exe 100% CPU

I am working on a computer that is running very slow. 32rundll.exe is running all the time and winlogon.exe is using 100% of the CPU. I have run adaware, spybot, and antivirus software. All have found things - yet still it is dragging along. So I have been reading many forums and believe the next step is to have a expert review the hijackthis log, so here it is - Any help would be wonderful!! Thanks!!!

ljculler



Logfile of HijackThis v1.98.2
Scan saved at 9:15:23 PM, on 9/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\msupdater.exe
C:\WINDOWS\System32\32RUNdll.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\WINDOWS\System32\ntsvc.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\WINDOWS\System32\regscan32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shenandoah.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [msupdater] msupdater.exe
O4 - HKLM\..\Run: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\Run: [NT Services] ntsvc.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [Windows Registry Scan] regscan32.exe
O4 - HKLM\..\RunServices: [ms] ms.exe
O4 - HKLM\..\RunServices: [NT Services] ntsvc.exe
O4 - HKLM\..\RunServices: [msupdater] msupdater.exe
O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan32.exe
O4 - HKCU\..\Run: [Windows Runtime Proccess] 32RUNdll.exe
O4 - HKCU\..\RunServices: [Windows Runtime Proccess] 32RUNdll.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096299460531

Hi ljculler,

You are infected with the WORM_SDBOT.QW virus among other things.

Perform a couple of online virus scans. Choose at least two of the following sites listed.

Trend Micro Housecall
http://housecall.trendmicro.com/

Panda Active Scan
www.pandasoftware.com/activescan/activescan

Bitdefender
http://www.bitdefender.com/scan/licence.php

Please post the results and a fresh hijackthis log.

Tom

Thanks so much for your help!!! Here are the results of all 3 scans you suggested and the update hijackthis log.


REG_LOWZONES.A c:\windows\system32\re11.REG
REG_LOWZONES.A c:\windows\system32\YEA.REG
TROJ_STILEN.A c:\windows\temp\MIW.exe

C:\aaa.exe Virtool.Xscan.Plugin
C:\Program Files\mt.html
C:\v3.exe
C:\windows\system32\blank.html
C:\windows\systerm32\config\systemprofile\Local Settings\Temporary Internet Files\content.IE5\o5engl2j\v3[1].exe
C:\windows\system32\dat\easy_user.dic infected:
C:\windows\system32\dir32.exe
C:\windows\systerm32\o
C:\windows\system32\ms.exe
C:\windows\system32\msupdater.exe
C:\windows\system32\plugin\
C:\windows\systerm32\roundSTID.exe
C:\windows\system32\staff.html
C:\windows\system32\van32.exe
C:\windows\system32\x.exe


Virus:W32/Gaobot.AIY.worm Disinfected Operating system
Virus:Trj/Virtumonde.E Disinfected C:\Documents and Settings\All Users\Application Data\WinAntiVirus Corp\WinAntiVirus 2004\Quarantine\A0078533.exeaylnlfdx
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
Virus:W32/Randon Disinfected C:\WINDOWS\system32\dirote.exe
Virus:W32/Randon.BL.worm Disinfected C:\WINDOWS\system32\dorod.exe
Virus:W32/Randon.BL.worm Disinfected C:\WINDOWS\system32\dorod.ini
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:W32/Randon.BQ.worm Disinfected C:\WINDOWS\system32\emoti.bat
Virus:W32/Sdbot.AMC.worm Disinfected C:\WINDOWS\system32\TFTP3180

Logfile of HijackThis v1.98.2
Scan saved at 8:38:25 PM, on 9/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [msupdater] msupdater.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [Windows Registry Scan] regscan32.exe
O4 - HKLM\..\RunServices: [ms] ms.exe
O4 - HKLM\..\RunServices: [msupdater] msupdater.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan32.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096299460531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

You might want to print these instructions for reference, as you will be off the internet while using HijackThis.

Please move or unzip HijackThis to a permanent folder such as C:\HJT It is important that it is in it's own folder as it will make important backups of what we will fix.

Please open My Computer > double-click your C:\ drive > File > New > Folder > name it HJT and put HijackThis into that folder.

Then....

Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [msupdater] msupdater.exe
O4 - HKLM\..\Run: [Windows Registry Scan] regscan32.exe
O4 - HKLM\..\RunServices: [ms] ms.exe
O4 - HKLM\..\RunServices: [msupdater] msupdater.exe
O4 - HKLM\..\RunServices: [Windows Registry Scan] regscan32.exe

Then....

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Search for and delete the following files:
C:\windows\system32\msupdater.exe
regscan32.exe
C:\windows\system32\ms.exe

Then....

Open My Computer, browse to C:\documents and settings\User Name(repeat for all users)\local settings\temp folder and delete all files and folders in it.

Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it.

Open Internet Explorer click Tools > Internet Options > General. Click "Delete Files",also check "delete all offline content" Click OK.

Empty your Recycle Bin.

Reboot normally and post a fresh hijackthis log.

Tom

Logfile of HijackThis v1.98.2
Scan saved at 11:19:14 AM, on 10/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096299460531
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

did we get it?

Now that's a clean log! Good work!!!

Keep in mind if you still feel CPU usage is high: Windows Update is downloading updates.

C:\WINDOWS\System32\wuauclt.exe is the Auto Update running.

My guess is that it is probably downloading Service Pack 2, wich will take weeks if you are using a dialup connection.

Next....

In light of the recent infections, let's purge system restore.

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 Create a new Restore Point.
6 Click OK.

These are tools that will help keep you from getting infected again:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

All are very small free programs. Occasionally check for updates.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://v4.windowsupdate.microsoft.com/

Please take a minute to read: So how did I get infected in the first place?
http://computercops.biz/postlite7736-.html

Tom